CVE-2025-35060 is a cross-site scripting (XSS) vulnerability classified under CWE-79, affecting Newforma Project Center, specifically its Info Exchange (NIX) 'Send a File Transfer' feature. The vulnerability allows a remote attacker with valid authentication to upload SVG files that embed JavaScript or other executable content. When these SVG files are rendered by a web browser, particularly on mobile user agents, the embedded scripts can execute, leading to potential compromise of user sessions or unauthorized actions. The root cause is improper neutralization of input during web page generation, meaning the application does not sufficiently sanitize or validate SVG content before rendering it in the browser context. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N) but the description clarifies that authentication is needed (PR:L), and user interaction is required (UI:P). The vulnerability impacts confidentiality, integrity, and availability at a low level (VC:L, VI:L, VA:L), and does not affect system confidentiality (SC:N), integrity (SI:N), or availability (SA:N) at a systemic level. No patches are currently linked, and no known exploits are in the wild, suggesting this is a newly disclosed vulnerability. The affected version is listed as '0', which likely indicates all current versions or an unspecified version. The vulnerability is particularly concerning for environments where users access the platform via mobile browsers, as the SVG rendering and script execution vector is more prominent there.

For European organizations using Newforma Project Center, especially those in architecture, engineering, and construction sectors, this vulnerability poses a risk of session hijacking, unauthorized data access, or manipulation via malicious SVG files. Since exploitation requires authentication and user interaction, the threat is somewhat limited but still significant in environments with many users and frequent file exchanges. Mobile users are particularly vulnerable due to the SVG rendering behavior on mobile browsers. Successful exploitation could lead to compromised user credentials, unauthorized project data disclosure, or manipulation of project workflows. This could result in financial loss, reputational damage, and regulatory compliance issues under GDPR if personal or sensitive data is exposed. The lack of known exploits reduces immediate risk, but the medium CVSS score indicates that organizations should act proactively. The impact is more pronounced in organizations with extensive remote or mobile workforce and those that rely heavily on Newforma's file transfer features.

1. Restrict or disable SVG file uploads in the Newforma Project Center until a patch is available. 2. Implement server-side validation and sanitization of SVG files to remove any embedded scripts or potentially malicious content before accepting uploads. 3. Enforce strict Content Security Policy (CSP) headers to limit script execution scope in browsers accessing the platform. 4. Educate users about the risks of interacting with untrusted SVG files and encourage cautious behavior when opening file transfers. 5. Monitor logs for unusual upload patterns or repeated attempts to upload SVG files. 6. Apply multi-factor authentication (MFA) to reduce the risk of compromised credentials being used to exploit this vulnerability. 7. Regularly check for vendor updates or patches addressing this vulnerability and apply them promptly. 8. Consider isolating the file transfer feature or limiting its use to trusted users or groups to reduce exposure. 9. Conduct internal security assessments or penetration tests focusing on file upload functionalities to identify similar weaknesses.